Seeking mysql_real_escape_string () anti-injection

Source: Internet
Author: User

Mysql_real_escape_string () is considered a good alternative to addslashes () and mysql_escape_string (), which can solve the problem of wide-byte and injection, but the official description of it is not clear:

Mysql_real_escape_string-escapes special characters in strings used in SQL statements, and takes into account the current character set of the connection

This sentence really does not understand, considering the connection of the current character set what meaning, please master detailed talk, thank you!

Reference:
http://php.net/manual/zh/function.mysql-real-escape-string.php
Http://www.cnblogs.com/suihui/archive/2012/09/20/2694751.html
Http://www.neatstudio.com/show-963-1.shtml

Supplementary questions: @ Acting and acting
1. Add the \ does not pass into MySQL, then if injected ' or 1=1;-- s , the injection content here eventually did not upload to MySQL to execute it?
Reference: https://segmentfault.com/q/1010000005994443

2. 并考虑到连接的当前字符集 What do you mean? Change the character set of the current connection?

Reply content:

Mysql_real_escape_string () is considered a good alternative to addslashes () and mysql_escape_string (), which can solve the problem of wide-byte and injection, but the official description of it is not clear:

Mysql_real_escape_string-escapes special characters in strings used in SQL statements, and takes into account the current character set of the connection

This sentence really does not understand, considering the connection of the current character set what meaning, please master detailed talk, thank you!

Reference:
http://php.net/manual/zh/function.mysql-real-escape-string.php
Http://www.cnblogs.com/suihui/archive/2012/09/20/2694751.html
Http://www.neatstudio.com/show-963-1.shtml

Supplementary questions: @ Acting and acting
1. Add the \ does not pass into MySQL, then if injected ' or 1=1;-- s , the injection content here eventually did not upload to MySQL to execute it?
Reference: https://segmentfault.com/q/1010000005994443

2. 并考虑到连接的当前字符集 What do you mean? Change the character set of the current connection?

That's what this is about, MySQL. GBK Double byte injection

For example, a user login assumes your SQL statement:
$sql = "select * from user where user_name='$username' and password='$password'";

1 if there is an injection point and is not escaped. Pass parameter username= ' or 1=1;--s then the SQL statement at this point is

$sql = "select * from user where user_name='' or 1=1;-- s ' and password='$password'";

Because--it's an annotation character, so you don't have to go around

2 If there is an injection point and a special character escape is used. So the SQL statement at this point is

$sql = "select * from user where user_name='\' or 1=1;-- s ' and password='$password'";

Cannot bypass

3 This time the problem comes, the awesome hacker has discovered that there is a wide-byte injection of GBK encoding. This time pass username=%df%27 or 1=1;--

The SQL statement that was executed at this time becomes:

$sql = "select * from user where user_name='運' or 1=1;-- s ' and password='$password'"; Successful bypass

How to solve this problem

Mysql_real_escape_string-escapes special characters in strings used in SQL statements, and takes into account the current character set of the connection

mysql_real_escape_stringMethod The SQL escape mechanism of the statement, which changes with the character set of the current database connection. The same SQL statement, under different character sets, is not necessarily the same as the result of escaping.

Important:

mysql_real_escape_stringMethod is mysql an extension that has been PHP marked obsolete since the version 5.5.0 and PHP 7 is removed after the version. Please use mysqli or PDO extend the database operation. Database character Set Please try to use it utf8 or utf8mb4 (better).

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.